IoT Security Integration with Next-generation Firewalls
Table of Contents
IoT Security Integration with Next-generation Firewalls
IoT Security integrates with the logging service and
next-generation firewalls using Device-ID.
The IoT Security solution involves the
integration of three key architectural components to process network
data:
- Palo Alto Networks next-generation firewalls collect device data and send it to the logging service.
- The logging service uses a cloud-based log-forwarding process to direct the logs from firewalls to destinations like IoT Security and Strata Logging Service. Depending on the type of IoT Security subscription you have, the logging service either streams metadata to your IoT Security account and Strata Logging Service instance or just to your IoT Security account.
- IoT Security is an app that runs on a cloud-based platform in which machine learning, artificial intelligence, and threat intelligence are used to discover, classify, and secure the IoT devices on the network. The app ingests firewall logs with network traffic data and provides Security policy recommendations and IP address-to-device mappings to the firewall for use in Security policy rules. Administrators access the dynamically enriched IoT device inventory, detected device vulnerabilities, security alerts, and recommended policy sets through the IoT security portal.
The IoT Security app integrates with next-generation firewalls
through Device-ID, which is a construct that uses device identity
as a means to apply policy. The integration uses three mechanisms.
- Device dictionary – This is an XML file that IoT Security generates and makes available for Panorama and firewalls to import. The dictionary file provides the Panorama and firewall administrator with a list of device attributes for selection when importing recommended Security policy rules from IoT Security and when creating rules themselves. These attributes are profile, category, vendor, model, OS family, and OS version and are for both IoT and traditional IT devices. Although it’s not possible to download a device dictionary file, you can see the release notes summarizing the new content added to a file that your firewall has imported. To do this, log in to the PAN-OS web portal, select and then click Release Notes for the device dictionary file you want to learn about.
- Policy rule recommendations – After an IoT Security administrator creates a set of Security policy rules based on traffic from IoT devices in the same device profile, a firewall administrator can import them as recommendations for use in its policy set.
- IP address-to-device mappings – These mappings tell firewalls which attributes a device with a particular IP address has. When traffic to or from that IP address reaches a firewall, it checks if one of its attributes matches a policy and, if so, the firewall applies the policy. IoT Security sends IP address-to-device mappings to firewalls for both IoT and IT devices if the confidence score for device identities is high (90-100%) and they’ve sent or received traffic within the past hour.
The goal of Device-ID is to leverage the intelligence of IoT Security to enforce firewall
policy on IoT devices.
Device-ID
PAN-OS 10.0 introduces a new
concept for policy enforcement: Device-ID. Device-ID is a way to
enforce policy rules based on device attributes. IoT Security provides
the firewall with a device dictionary file containing a list of
device attributes such as profiles, categories, vendors, and models.
For various attributes in the dictionary file, it lists a set of
entries. For example, three entries for the profile attribute might
be Advidia Camera, BK Medical UltraSound Machine, and Carefusion
Infusion Pump Base Station.
Currently, Device-ID is not supported on multi-vsys firewalls.
When configuring a Security policy
rule, firewall administrators have the option to select device attributes
from the device dictionary. If they select profile,
they can choose one of the profile entries: Polycom IP
Phone, for example. The policy rule then applies to
all devices that match this profile. But how does the firewall know
what the profile is for a device? It knows this from the IP address-to-device
mappings that IoT Security also gives the firewall. These mappings
identify attributes for each device. When traffic from an IP address
that's mapped to a device attribute specified in the policy rule
reaches the firewall, the policy rule lookup will find a match with
this rule and apply whatever action it enforces.
A firewall downloads
a device dictionary file from the update server. The dictionary
file populates entries in all the Device-ID attribute lists for
profile, category, vendor, and so on. These attribute entries are
then available for use as policy rule configuration elements. The
firewall administrator next configures a firewall policy rule using
the profile attribute “Polycom IP Phone”. After a Polycom Trio 8800 device
joins the network and IoT Security identifies it, IoT Security provides
the firewall with an IP address-to-device mapping for it. The two
key elements in the mapping for this example are its device profile
(Polycom IP Phone profile, highlighted in yellow) and its IP address (10.1.2.3,
highlighted in blue). When traffic from the Polycom Trio 8800 device
at 10.1.2.3 reaches the firewall, it does a Device-ID policy rule
lookup, finds that the profile for the device at this IP address
matches one specified in a policy rule, and then applies the rule.
If
a firewall becomes disconnected from IoT Security, the firewall
retains its IP address-to-device mappings and continues enforcing
Device-ID policy rules with them until the connection is re-established.
Every
next-generation firewall model has the same maximum of 1000 unique
Device-ID objects.
The maximum of 1000 Device-ID objects is
not the same as that for IP address-to-device mappings. The maximum
number of IP address-to-device mappings varies based on firewall
model and is the same as the User-ID maximums listed in the + Show
More sections for each firewall model on the Product Selection page.
More
information about the Device-ID feature is in
the PAN-OS Administrator’s Guide.
Device Dictionary
The
device dictionary is an XML file for firewalls to use in Security
policy rules. It contains entries for the following device attributes: profile,
category, vendor, model, OS family, and OS version. These entries
come from devices across all IoT Security tenants and are completely
refreshed on a regular basis and posted as a new file on the update
server. If there are any changes to a dictionary entry, a revised
file will be posted on the update server so that Panorama and firewalls
will automatically download and install it the next time they check
the update server, which they do automatically every two hours.
IP
Address-to-device Mappings
After IoT Security identifies
a device, it bundles the following set of identifying characteristics
about it:
- IP address
- MAC address
- Hostname
- Device type
- Device category
- Device profile
- Vendor
- Model
- OS family
- OS version
- Risk score
- Risk level
Firewalls poll IoT Security for these IP address-to-device mappings for use in policy
enforcement. A firewall polls for new or modified mappings every second, and IoT Security returns mappings that it has identified with high confidence (a
confidence score of 90-100%) for devices that were active within the last hour. For
each IP address-to-device mapping that a firewall receives, the firewall generates
an entry in its host information profile (HIP) Match log.
If IoT Security discovers duplicate IP address-to-device mappings—that is, there are two IP
addresses mapped to the same device MAC address—it resolves it to the MAC address
with the latest network activity.
There is no time
limit for how long a firewall retains IP address-to-device mappings.
It only begins deleting them when its cache fills up, starting with
the oldest first.
Policy Rule Recommendations
You
can generate Security policy rule recommendations based on the normal,
acceptable network behaviors of the IoT devices in the same device
profile and manually import them into firewalls for enforcement.
PAN-OS 8.1 and later supports the importing of IoT Security.
For Panorama-managed firewalls
that have an IoT Security subscription requiring Strata Logging Service
– Panorama can only import policy rule recommendations if it was
used to onboard its managed firewalls
to .
Firewall and Panorama
Communications Related to IoT Security
IoT Security communications
from firewalls without Panorama management:
- Firewalls download device dictionary files from the update server at updates.paloaltonetworks.com on TCP port 443.
- Firewalls forward logs to the logging service on TCP ports 443 (for Enhanced Application logs) and 3978 (for all other firewall logs).For details about the ports and FQDNs required for next-generation firewalls to communicate with the logging service, see Strata Logging Service.
- Firewalls retrieve IP address-to-device mappings and policy recommendations from IoT Security on TCP port 443. Depending on their region, they use one of the following edge services URLs:
- United States: iot.services-edge.paloaltonetworks.com
- Canada: ca.iot.services-edge.paloaltonetworks.com
- EU: eu.iot.services-edge.paloaltonetworks.com
- Switzerland: ch.iot.services-edge.paloaltonetworks.com
- United Kingdom: uk.iot.services-edge.paloaltonetworks.com
- APAC: apac.iot.services-edge.paloaltonetworks.com
- Japan: jp.iot.services-edge.paloaltonetworks.com
- Australia: au.iot.services-edge.paloaltonetworks.com
The following table summarizes the relationship of different data lake regions/ingestion regions with IoT Security application regions:Data Lake Region/Ingestion RegionIoT Security Application RegionAmericasCanadaCanada, United States*United StatesUnited StatesFedRAMPFedRAMPEuropean UnionFranceGermanyGermanyGermanyItalyGermanyNetherlandsGermanyPolandGermanySpainGermanySwitzerlandSwitzerland, Germany*United KingdomUnited Kingdom, Germany*Asia-PacificAustraliaAustralia, Singapore*IndiaSingaporeIndonesiaSingaporeJapanJapanSingaporeSingapore*Switzerland and the United Kingdom were added as IoT Security application regions on 7/31/2023. When onboarding IoT Security after this date to existing firewall deployments established before it, the firewalls continue to use Germany as the IoT Security application region. When onboarding IoT Security to new deployments in Switzerland or the United Kingdom established after 7/31/2023, the firewalls will use the local IoT Security application region for each country.A similar situation exists in Canada, which continues to use United States – Americas as the IoT Security application region for deployments existing before 1/25/2023 and Canada for new deployments after this date. Likewise, deployments existing before 10/25/2022 in Australia still use the IoT Security application in Singapore while new deployments after this date use Australia. - During the certificate exchange between a firewall and the edge server in front of the IoT Security cloud, they verify each other’s certificates. The firewall validates the certificate it receives by checking these sites:
- *.o.lencr.org
- x1.c.lencr.org
Communications to these sites occur over HTTP on TCP port 80.
IoT Security communications from Panorama:
- A Panorama management server imports policy recommendations from IoT Security through the same URLs listed above that firewalls use. When validating the certificate the edge server presents, Panorama checks the same sites listed above that firewalls check.Firewalls under Panorama management still contact IoT Security through regional edge services URLs for IP address-to-device mappings, they still download device dictionaries from the update server, and they still forward logs to the logging service.
- A Panorama management server sends queries for logs to the logging service on TCP port 444.